b'March 26, 2002\n\nCHARLES E. BRAVO\nSENIOR VICE PRESIDENT, CHIEF TECHNOLOGY OFFICER\n\nROBERT L. OTTO\nVICE PRESIDENT, INFORMATION TECHNOLOGY\n\nSUBJECT: \t Audit Report - Vehicle Operations Information System\n           (Report Number EM-AR-02-005)\n\nThis report presents the results of our audit of the Vehicle Operations Information\nSystem (Project Number 01BS009IS000). This audit was a self-initiated review that\nwas included in our fiscal year 2002 Audit Workload Plan.\n\nThe audit disclosed Postal Service program management did not always follow\nestablished Postal Service system development guidelines, policies, and directives\nduring requirements definition and that a key deliverable was not fully completed. As a\nresult, program management may select a commercial off-the-shelf package that does\nnot effectively secure sensitive information contained in the system. In addition,\nprogram management cannot ensure that the development process was appropriately\nmonitored, established standards were followed, and system inadequacies were\nbrought to management\xe2\x80\x99s attention. The Vehicle Operations Information System has\nbeen cancelled due to budget constraints. Management agreed with our\nrecommendations and should the project be restarted, appropriate actions will be taken\nto address the recommendations in this report. Management\xe2\x80\x99s comments and our\nevaluation of these comments are included in this report.\n\nWe appreciate the cooperation and courtesies provided by your staff during the review.\nIf you have any questions or need additional information, please contact Robert Batta,\ndirector, Electronic Commerce and Marketing, at (703) 248-2100, or me at\n(703) 248-2300.\n\n\n\nRonald D. Merryman\nActing Assistant Inspector General\n for eBusiness\n\nAttachment\n\x0ccc: \tJames W. Buie\n     James L. Golden\n     Susan M. Duchek\n\x0cVehicle Operations Information System                              EM-AR-02-005\n\n\n\n                                  TABLE OF CONTENTS\n Executive Summary                                                       i\n\n\n Part I\n\n Introduction                                                           1\n\n\n    Background                                                          1\n\n    Objectives, Scope, and Methodology                                  2\n\n    Prior Audit Coverage                                                3\n\n\n Part II\n\n Audit Results                                                          4\n\n\n     Systems Development Guidelines, Policies, and Directives           4\n\n\n           Detailed Data Requirements                                   4\n\n           Recommendation                                               5\n\n           Management\xe2\x80\x99s Comments                                        5\n\n           Evaluation of Management\xe2\x80\x99s Comments                          6\n\n\n           Detailed Security Requirements                               6\n\n           Recommendations                                              7\n\n           Management\xe2\x80\x99s Comments                                        7\n\n           Evaluation of Management\xe2\x80\x99s Comments                          7\n\n\n           Independent Software Quality Assurance Representative        7\n\n           Recommendation                                               8\n\n           Management\xe2\x80\x99s Comments                                        8\n\n           Evaluation of Management\xe2\x80\x99s Comments                          8\n\n\n     Key Deliverable                                                    9\n\n     Recommendation                                                    10\n\n     Management\xe2\x80\x99s Comments                                             10\n\n     Evaluation of Management\xe2\x80\x99s Comments                               10\n\n\n     Additional Areas for Management Consideration                     11\n\n\n           Decision Analysis Report Improvements                       11\n\n           Formally Approved Requirements                              11\n\n\n Appendix A. Glossary                                                  13\n\n\n Appendix B. Management\xe2\x80\x99s Comments                                     15\n\n\n\n\n                                        Restricted Information\n\x0cVehicle Operations Information System\t                                                                EM-AR-02-005\n\n\n\n                                       EXECUTIVE SUMMARY\n    Introduction \t                 There are five major stages in the systems development life\n                                   cycle.1 Each stage has several process points that need to\n                                   be accomplished to develop a successful project. This\n                                   report presents our self-initiated audit of the feasibility study\n                                   and requirements definition of the Vehicle Operations\n                                   Information System. This is the fourth report in a series of\n                                   Office of Inspector General (OIG) audits of Postal Service\n                                   initiatives in the early phases of development. By early\n                                   involvement in the process, the OIG can make\n                                   recommendations to resolve issues in development prior to\n                                   system implementation. Studies indicated that it is up to\n                                   100 times more costly to make changes after a system is\n                                   placed into production. Our objectives were to determine if\n                                   Postal Service management: (1) followed sound systems\n                                   development life cycle processes, (2) produced key\n                                   deliverables, and (3) included key security features during\n                                   systems development.\n\n    Results in Brief\t              Our review found program management did not always\n                                   follow established Postal Service system development\n                                   guidelines, policies, and directives during requirements\n                                   definition of the Vehicle Operations Information System.\n                                   Specifically, detailed data and security requirements were\n                                   not defined, and an independent software quality assurance\n                                   representative2 was not assigned. In addition, we found\n                                   that a key deliverable was not fully completed during the\n                                   concept phase.\n\n                                   As a result, program management may select a commercial\n                                   off-the-shelf package that does not effectively secure\n                                   sensitive information contained in the system. In addition,\n                                   program management cannot ensure that the development\n                                   process was appropriately monitored, established standards\n                                   were followed, and system inadequacies were brought to\n                                   management\xe2\x80\x99s attention. Further, program management\n                                   could not ensure that the project initiative was justified,\n                                   alternative solutions were properly analyzed, and the\n                                   solution selected would satisfy the functional requirements.\n\n\n\n1\n  A systems development life cycle is a logical process by which systems analysts, software engineers, programmers,\nand end users build information systems and computer applications to solve business problems and needs.\n2\n  The software quality assurance representative independently facilitates the development of defect free products that\nmeet all requirements and are delivered on time at the lowest possible cost.\n\n                                                         i\n                                              Restricted Information\n\x0cVehicle Operations Information System                                            EM-AR-02-005\n\n\n\n\n Summary of                    We concluded that the Vehicle Operations Information\n Recommendations               System development effort should remain in the planning\n                               phase until completion of the recommended actions.\n                               Specifically, we recommended management conduct a\n                               feasibility study, risk assessment, business impact\n                               assessment, appoint a software quality assurance\n                               representative, and define detailed data and security\n                               requirements before moving the project to the design phase.\n\n Summary of                    Management agreed with our recommendations. However,\n Management\xe2\x80\x99s                  the Vehicle Operations Information System has been\n Comments                      cancelled due to budget constraints. For that reason,\n                               management does not believe there is value in addressing\n                               the specific recommendations contained in this audit report.\n                               Should the project be restarted, appropriate actions will be\n                               taken to address the recommendations contained in this\n                               report. Management\xe2\x80\x99s comments, in their entirety, are\n                               included in Appendix B of this report.\n\n Overall Evaluation of         Management\xe2\x80\x99s comments were responsive to our findings\n Management\xe2\x80\x99s                  and recommendations. We agree with management that\n Comments                      should the Vehicle Operations Information System project\n                               be restarted, appropriate actions will be taken to address\n                               the recommendations contained in this report. However,\n                               since the project has been cancelled due to budget\n                               constraints, we recommend closure of all recommendations.\n\n\n\n\n                                                   ii\n                                        Restricted Information\n\x0cVehicle Operations Information System\t                                           EM-AR-02-005\n\n\n\n                                    INTRODUCTION\n Background\t                   The Postal Service operates a large fleet of motor vehicles\n                               used to move and deliver mail throughout the United States.\n                               The Delivery Vehicle Operations Group has responsibility\n                               for repair and maintenance of vehicles in this fleet. The\n                               Vehicle Management Accounting System is currently used\n                               to track the cost of vehicle operation and to schedule and\n                               manage repair and maintenance operations. The Postal\n                               Service decided to replace the Vehicle Management\n                               Accounting System with the Vehicle Operations Information\n                               System. The Postal Service planned that the new system\n                               will use a commercial off-the-shelf software package to\n                               provide information management for all vehicle repair and\n                               maintenance operations, as well as tracking and analysis of\n                               the total cost of vehicle operations.\n\n                               The Vehicle Operations Information System will support\n                               approximately 5,000 users. These users are located at\n                               193 Postal Service vehicle maintenance facilities,\n                               148 auxiliary vehicle maintenance facilities, Postal Service\n                               Headquarters, area offices, and district offices. The system\n                               would be used to manage repair and maintenance\n                               operations and records for approximately 250,000 leased\n                               and Postal Service owned motor vehicles. In addition, it\n                               would help manage parts inventories with over\n                               250,000 individual inventory line items system wide, and\n                               would be used to manage fuel and oil inventories stored in\n                               more than 1,000 bulk storage tanks.\n\n                               When our review took place, the Vehicle Operations\n                               Information System was at the end of the planning phase\n                               undergoing review of commercial off-the-shelf software\n                               packages.\n\n\n\n\n                                                1\n                                     Restricted Information\n\x0cVehicle Operations Information System                                                              EM-AR-02-005\n\n\n\n\n    Objectives, Scope,              The purpose of this audit was to evaluate the Postal\n    and Methodology                 Service\xe2\x80\x99s Vehicle Operations Information System\n                                    development effort in the concept and planning phases of\n                                    the systems development life cycle. We reviewed the\n                                    feasibility study and requirements definition process points\n                                    of the development effort. Specifically, for these processes,\n                                    we determined if Postal Service management: (1) followed\n                                    sound systems development life cycle processes,\n                                    (2) produced key deliverables, and (3) included key security\n                                    features during systems development.\n\n                                    To accomplish our first objective, we interviewed key project\n                                    management personnel, including the program manager,\n                                    program owner, developers, and the information system\n                                    security officer. In addition, we reviewed the business\n                                    needs statement, project plan, functional requirements\n                                    document, and Postal Service security policies and\n                                    directives. To accomplish our second objective, we\n                                    interviewed key project management personnel and end\xc2\xad\n                                    users to determine their involvement in the development\n                                    effort. In addition, we reviewed the draft Decision Analysis\n                                    Report, assessment study,3 and contract documents.\n                                    Finally, to accomplish our third objective, we interviewed the\n                                    information system security officer and reviewed appropriate\n                                    requirements documents.\n\n\n3\n    The assessment study was conducted to analyze the current vehicle operations database environment.\n\n                                                     2\n                                          Restricted Information\n\x0cVehicle Operations Information System\t                                          EM-AR-02-005\n\n\n\n\n                               We conducted audit fieldwork at Postal Service\n                               Headquarters and the processing and distribution center, in\n                               Merrifield Virginia, from September through October 2001.\n                               In addition, we also reviewed applicable laws and\n                               regulations, as well as industry standards and best\n                               practices. This audit was conducted from September 2001\n                               through March 2002 in accordance with generally accepted\n                               government auditing standards and included tests of\n                               internal controls as were considered necessary under the\n                               circumstances. We discussed our conclusions and\n                               observations with appropriate management officials and\n                               included their comments, where appropriate. We did not\n                               rely on computer-generated data to accomplish the\n                               objectives of this audit.\n\n Prior Audit Coverage \t Our September 29, 2000, report, State of Computer\n                        Security in the Postal Service (Report Number IS-AR-00-\n                        004) cited that: (1) many Postal Service managers were not\n                        fully aware of their responsibilities for computer security;\n                        and many Postal Service officials viewed computer security\n                        as the sole responsibility of the information technology\n                        office; (2) a lack of security awareness has resulted in less\n                        than sufficient emphasis placed on planning and budgeting\n                        for computer security; (3) policies and procedures for\n                        computer security were nonexistent, outdated, or oftentimes\n                        not implemented or followed; and (4) the National\n                        Information Systems Security organization did not have\n                        computer security enforcement authority, and was\n                        understaffed, underfunded, and not visible postalwide.\n                        Management agreed with Office of Inspector General\xe2\x80\x99s\n                        recommendations and indicated they are working to\n                        address the issues.\n\n\n\n\n                                                3\n                                     Restricted Information\n\x0cVehicle Operations Information System                                             EM-AR-02-005\n\n\n\n                                   AUDIT RESULTS\n Systems                      We found program management did not always follow\n Development                  established Postal Service systems development guidelines,\n Guidelines, Policies,        policies, and directives during requirements definition of the\n and Directives               Vehicle Operations Information System. Specifically,\n                              detailed data and security requirements were not defined,\n                              and an independent software quality assurance\n                              representative was not assigned. As a result, program\n                              management may select commercial off-the-shelf software\n                              that does not effectively secure the sensitive information\n                              contained in the system. In addition, program management\n                              cannot ensure that the development process was\n                              appropriately monitored, established standards were\n                              followed, and system inadequacies were brought to\n                              management\xe2\x80\x99s attention.\n\n                              The purpose of this audit was to evaluate the Postal\n                              Service\xe2\x80\x99s Vehicle Operations Information System\n                              development effort in the concept and planning phases of\n                              the systems development life cycle. Specifically, for these\n                              processes, we determined if Postal Service management\n                              followed sound systems development life cycle processes,\n                              produced key deliverables, and included key security\n                              features during systems development. Audit fieldwork was\n                              conducted from September through October 2001.\n\n                              Data requirements describe the following components of\n                              data: relationship, storage, volume, definition or logical\n                              representation, location, any interfaces, or security\n                              requirements. In addition, data requirements define how\n                              the data will migrate into the new system. Security\n                              requirements describe all security restrictions such as\n                              limiting access to hardware, software, network and data;\n                              defining level of access by user such as read, write, and\n                              execute; or whether the data will be confidential or available\n                              for public use.\n\n Detailed Data                Program management defined data requirements, such as\n Requirements                 data descriptions, potential data elements, and the impact of\n                              data requirements at a high level in the functional\n                              requirements document. However, these requirements did\n                              not contain the appropriate level of detail. In addition, some\n                              data requirements were not defined at all, such as technical\n                              information about dynamic and static data collection\n                              requirements, subjects or other grouping mechanisms used\n\n\n                                               4\n                                    Restricted Information\n\x0cVehicle Operations Information System                                             EM-AR-02-005\n\n\n\n                              by the system, description of the characteristics for each,\n                              and the procedures for data collection.\n\n                              The Postal Service Software Process Standards and\n                              Procedures guideline states that data requirements are\n                              necessary to satisfy the business need, as identified in the\n                              business needs document. This guideline also states that\n                              technical solutions should not be identified, until the\n                              requirements document, which includes data requirements,\n                              has been reviewed and approved by the end-users.\n\n                              Program management told us that this occurred because\n                              detailed data requirements should be developed in the\n                              design phase, which would occur prior to selecting\n                              commercial off-the-shelf software. Program management\n                              explained that they solicited and reviewed commercial off-\n                              the-shelf software to gain an initial understanding of the\n                              software\xe2\x80\x99s capabilities. They planned to adjust their data\n                              elements to fit those established in the commercial off-the-\n                              shelf software, thus reducing the high costs associated with\n                              customizing the software. However, program management\n                              also indicated there are unique Postal Service data\n                              elements that cannot be changed. Program management\n                              explained that the commercial off-the-shelf providers would\n                              have to demonstrate their ability to customize their software\n                              to meet these unique data requirements, prior to contract\n                              award.\n\n                              We concluded program management is taking a proactive\n                              approach to select commercial off-the-shelf software. As a\n                              consequence, program management reduced costs by\n                              limiting the amount of customization to the commercial off-\n                              the-shelf software.\n\n Recommendation               We recommend the senior vice president, chief technology\n                              officer, ensure:\n\n                                  1. Detailed data requirements are defined and included\n                                     in the requirements document and ensure\n                                     commercial off-the-shelf providers demonstrate their\n                                     ability to meet these requirements, prior to contract\n                                     award.\n\n Management\xe2\x80\x99s                 Management agreed with the recommendation. However,\n Comments                     management has cancelled the Vehicle Operations\n                              Information System due to budget constraints. Should the\n\n                                               5\n                                    Restricted Information\n\x0cVehicle Operations Information System                                             EM-AR-02-005\n\n\n\n                              project be restarted, appropriate actions will be taken to\n                              address the recommendation.\n\n Evaluation of                Management\xe2\x80\x99s comments were responsive to our finding\n Management\xe2\x80\x99s                 and recommendation. We recommend closure of this\n Comments                     recommendation.\n\n Detailed Security            Program management referenced applicable Postal Service\n Requirements                 security policies and directives in the functional\n                              requirements document. We found that security\n                              requirements, such as general controls, methods for\n                              detecting errors and irregularities, responsibilities for the\n                              protection of sensitive information, and protection against\n                              system tampering were defined at a high level in these\n                              security policies and directives. However, detailed security\n                              requirements were not established to mitigate potential risks\n                              and exposures associated with the site locations and\n                              application.\n\n                              The information security process states that the\n                              management control process must address information\n                              protection, internal controls, privacy, and security issues in\n                              the original system design. The process requires a risk\n                              assessment program to be performed, which evaluates\n                              potential risks and exposures associated with both the site\n                              and the application. The process also requires completion\n                              of a business impact assessment, which addresses the\n                              disclosure and unauthorized modification of sensitive\n                              information, the unauthorized destruction or unavailability of\n                              critical information, legal and regulatory requirements, and\n                              prudent business practices. In addition, security controls\n                              must be implemented to satisfy the mandatory security\n                              requirements to protect sensitive, critical, and business\xc2\xad\n                              controlled information resources.\n\n                              Detailed security requirements were not established\n                              because program management had not followed Postal\n                              Service guidelines to ensure security requirements were\n                              defined. Specifically, program management had not\n                              completed a risk assessment and business impact\n                              assessment which are key components to developing\n                              detailed security requirements. As a result, program\n                              management may select commercial off-the-shelf software\n                              that does not effectively secure the sensitive information\n                              contained in the system.\n\n\n\n                                               6\n                                    Restricted Information\n\x0cVehicle Operations Information System\t                                                 EM-AR-02-005\n\n\n\n Recommendations               We recommend the senior vice president, chief technology\n                               officer, ensure:\n\n                                   2.\t A risk assessment is completed, which addresses\n                                       information protection, internal controls, privacy, and\n                                       security issues.\n\n                                   3.\t A business impact assessment is completed, which\n                                       identifies the sensitivity and criticality levels of Postal\n                                       Service information resources that will reside in the\n                                       Vehicle Operations Information System.\n\n                                   4.\t Detailed security requirements are defined and\n                                       included in the requirements document, which\n                                       mitigate the risks identified during the risk\n                                       assessment and business impact assessment.\n\n Management\xe2\x80\x99s                  Management agreed with the recommendations. However,\n Comments                      management has cancelled the Vehicle Operations\n                               Information System due to budget constraints. Should the\n                               project be restarted, appropriate actions will be taken to\n                               address these recommendations.\n\n Evaluation of                 Management\xe2\x80\x99s comments were responsive to our finding\n Management\xe2\x80\x99s                  and recommendations. We recommend closure of these\n Comments                      recommendations.\n\n Independent Software          Program management did not appoint a key development\n Quality Assurance             team member. Specifically, the program manager did not\n Representative                have a software quality assurance representative.\n\n                               The Postal Service Software Process Standards and\n                               Procedures guideline recommends that at project initiation a\n                               software quality assurance representative should be\n                               appointed to each project. The guidelines also recommend\n                               that the software quality assurance representative perform a\n                               review of the requirements document, prior to the end-users\n                               review.\n\n                               The engineering software process improvement guideline\n                               states that the product assurance organization is\n                               responsible for ensuring software products meet customer\xe2\x80\x99s\n                               quality expectations throughout the systems development\n                               life cycle. Specifically, product assurance validates and\n\n\n\n                                                7\n                                     Restricted Information\n\x0cVehicle Operations Information System                                            EM-AR-02-005\n\n\n\n\n                              verifies field worthiness of software, provides support during\n                              software testing, performs independent audits, and monitors\n                              process compliance.\n\n                              An appointment was not made because program\n                              management did not follow existing Postal Service policies\n                              and guidelines or establish an alternate system of controls.\n                              As a result, program management cannot ensure that the\n                              development process was appropriately monitored,\n                              established standards were followed, and system\n                              inadequacies were brought to management\xe2\x80\x99s attention.\n\n Recommendation               We recommend the senior vice president, chief technology\n                              officer:\n\n                                   5. Formally appoint an independent software quality\n                                      assurance representative to the remaining system\n                                      development tasks.\n\n Management\xe2\x80\x99s                 Management agreed with the recommendation. However,\n Comments                     management has cancelled the Vehicle Operations\n                              Information System due to budget constraints. Should the\n                              project be restarted, appropriate actions will be taken to\n                              address the recommendation.\n\n Evaluation of                Management\xe2\x80\x99s comments were responsive to our finding\n Management\xe2\x80\x99s                 and recommendation. We recommend closure of this\n Comments                     recommendation.\n\n\n\n\n                                               8\n                                    Restricted Information\n\x0cVehicle Operations Information System                                              EM-AR-02-005\n\n\n\n\n Key Deliverable              Program management did not perform all the aspects of a\n                              feasibility study for the Vehicle Operations Information\n                              System. We found that the development team conducted an\n                              assessment study of the current system, which identified the\n                              strengths and weaknesses of the local area network and\n                              mainframe components of the existing system. However,\n                              they did not evaluate alternative solutions to ensure\n                              established objectives and business needs were achieved.\n\n                              The Postal Service Software Process Standards and\n                              Procedures guideline states that a feasibility study should be\n                              prepared to justify the project initiative, analyze alternative\n                              solutions, and recommend a specific course of action. This\n                              guideline also provides a feasibility study template, which\n                              addresses the scope, summary, business need, alternative\n                              solutions, cost/benefit analysis, alternatives eliminated,\n                              conclusion and recommendation, and exhibits.\n\n                              Industry best practices recommend that each alternative be\n                              evaluated to ensure that the organization has the capability\n                              to manage the technology, time and cost estimates can be\n                              supported, and costs and benefits are identified. In addition,\n                              impact studies should be conducted to measure the current\n                              and anticipated cost savings and revenue increases, as well\n                              as provide insight into the benefits to be delivered.\n\n                              The Postal Service F-66 Handbook, General Investment\n                              Policy requires the project to be properly analyzed (that is all\n                              viable alternatives considered, the impact of the investment\n                              properly evaluated, and the backup documentation\n                              adequately supports the investment) and appropriate\n                              concurrences for major assumptions have been obtained.\n\n                              The feasibility study was not fully completed because\n                              program management believed the assessment study met\n                              the needs of a feasibility study. However, our review of the\n                              assessment study disclosed it did not contain all the\n                              required elements of a feasibility study. As a result, program\n                              management could not ensure that the project initiative was\n                              justified, alternative solutions were properly analyzed, and\n                              the solution selected would satisfy the functional\n                              requirements.\n\n\n\n\n                                               9\n                                    Restricted Information\n\x0cVehicle Operations Information System\t                                            EM-AR-02-005\n\n\n\n\n Recommendation\t               We recommend the senior vice president, chief technology\n                               officer:\n\n                                    6. \tComplete the remaining elements of the feasibility\n                                        study on Vehicle Operations Information System\n                                        prior to obtaining funding approval.\n\n Management\xe2\x80\x99s \t                Management agreed with our recommendation. However,\n Comments\t                     management has cancelled the Vehicle Operations\n                               Information System due to budget constraints. Should the\n                               project be restarted, appropriate actions will be taken to\n                               address the recommendation.\n\n Evaluation of                 Management\xe2\x80\x99s comments were responsive to our finding\n Management\xe2\x80\x99s                  and recommendation. We recommend closure of this\n Comments                      recommendation.\n\n\n\n\n                                               10\n                                     Restricted Information\n\x0cVehicle Operations Information System\t                                             EM-AR-02-005\n\n\n\n\n Additional Areas for          During our review of the Vehicle Operations Information\n Management                    System, we also noted the following conditions:\n Consideration\n\n Decision Analysis \t           Program management indicated that they are in the process\n Report Improvements\t          of finalizing the Decision Analysis Report for the Vehicle\n                               Operations Information System. During our review of the\n                               draft Decision Analysis Report, we found that the following\n                               areas of the report could be improved:\n\n                                   \xe2\x80\xa2\t A measure to support the statement about the second\n                                      and third alternatives not being cost prohibitive.\n\n                                   \xe2\x80\xa2\t A discussion on the need for protection of privacy of\n                                      data.\n\n                                   \xe2\x80\xa2\t A discussion on the impact and cost of internal\n                                      control requirements.\n\n                                   \xe2\x80\xa2\t A risk management section, which explains how the\n                                      funds will be spent. This may include a general\n                                      discussion of how the Vehicle Management\n                                      Accounting System and the Vehicle Operations\n                                      Information System requirements have been\n                                      prioritized.\n\n                                   \xe2\x80\xa2\t Discussion as to staging of the requirements and\n                                      bringing modules into production. Replacing all the\n                                      functionality at once may be too much to accomplish\n                                      at one time. It may make sense to discuss the basic\n                                      Vehicle Management Accounting System\n                                      requirements in the new system first, then the new\n                                      improvements.\n\n                                   \xe2\x80\xa2\t Identification of the accounting interfaces or the basic\n                                      accounting functions of the Vehicle Management\n                                      Accounting System that will be present in the Vehicle\n                                      Operations Information System.\n\n Formally Approved             Program management indicated that the requirements\n Requirements                  document does not include a sign-off sheet or any indication\n                               by Postal Service management that the requirements were\n                               formally accepted. The program manager and end users\n                               verbally indicated that they are satisfied all requirements are\n                               included in the requirements document. However, having\n\n\n                                               11\n                                     Restricted Information\n\x0cVehicle Operations Information System                                           EM-AR-02-005\n\n\n\n                              all responsible parties sign the document would verify the\n                              requirements have been formally accepted and approved.\n\n\n\n\n                                              12\n                                    Restricted Information\n\x0cVehicle Operations Information System                                            EM-AR-02-005\n\n\n\n                            APPENDIX A. GLOSSARY\nTerm                      Description\n\nAssessment Report         The assessment study was conducted to analyze the current\n                          vehicle operations database environment.\n\nBusiness Impact           The business impact assessment addresses the disclosure and\nAssessment                unauthorized modification of sensitive information, the\n                          unauthorized destruction or unavailability of critical information,\n                          legal and regulatory requirements, and prudent business practices.\n\nCommercial Off-the-       Software available through lease or purchase in the commercial\nShelf Software            market from an organization representing itself to have ownership\n                          of marketing rights in the software.\n\nData Requirements         Data requirements describe the data, data relationships, data\n                          storage, volume of the data, definitions or logical data\n                          representation, where data may currently be located, any data\n                          interfaces, or security requirements of the data. In addition, data\n                          requirements define how the data will be migrated into the new\n                          system.\n\nDecision Analysis         The Decision Analysis Report is a document developed by the\nReport                    requiring organization to justify a project investment and to assist\n                          the approval authorities in making decisions concerning the use of\n                          Postal Service funds.\n\nDynamic Data              Dynamic data is data that can be changed.\n\nFeasibility Study         The feasibility study is a document that justifies the project\n                          initiative, analyzes alternative solutions, and recommends a\n                          specific course of action. The feasibility study typically includes\n                          scope, summary, business need, alternative solutions, cost/benefit\n                          analysis, alternatives eliminated, conclusion, recommendation, and\n                          exhibits to be addressed.\n\nGeneral Controls          General controls are the structure, policies, and procedures that\n                          apply to an entity\xe2\x80\x99s overall computer operations. They create the\n                          environment in which application systems and controls operate.\n\n\n\n\n                                              13\n                                    Restricted Information\n\x0cVehicle Operations Information System                                             EM-AR-02-005\n\n\n\n                 APPENDIX A. GLOSSARY (CONTINUED)\nImpact Studies            Impact studies measure the current and anticipated cost savings\n                          and revenue increases that organizations believe have been\n                          created by their investment in the proposed solutions, as well as\n                          provide insights into the mechanisms by which the benefits are to\n                          be delivered.\n\nRisk Assessment           A risk assessment evaluates potential risks and exposures\n                          associated with both the site and the application, such as\n                          information protection, internal controls, privacy, and security\n                          issues.\n\nSecurity                  Security requirements describe all security restrictions such as\nRequirements              limiting access to hardware, software, network and data; defining\n                          level of access by user such as read, write, and execute; or\n                          whether the data will be confidential or available for public use.\n\nSoftware Quality          The software quality assurance representative independently\nAssurance                 facilitates the development of defect free products that meet all\nRepresentative            requirements and are delivered on time at the lowest possible cost.\n\nStatic Data               Static data is bound to memory cells before program execution\n                          begins and remains bound to those same memory cells until\n                          program execution terminates.\n\nSystems                   A systems development life cycle is a logical process by which\nDevelopment Life          systems analysts, software engineers, programmers, and end\nCycle                     users build information systems and computer applications to solve\n                          business problems and needs.\n\n\n\n\n                                              14\n                                    Restricted Information\n\x0cVehicle Operations Information System                        EM-AR-02-005\n\n\n\n              APPENDIX B. MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                                              15\n                                    Restricted Information\n\x0c'